You want to apply the settings in a GPO to the users and/or computers within an OU, also known as linking the GPO to the OU.
Open the Group Policy Management (GPMC) snap-in.
Expand Forest in the left pane.
Expand Domain and navigate down to the OU in the domain you want to link the GPO to.
Right-click on the OU and select either Create and Link a GPO Here (if the GPO does not already exist) or Link an Existing GPO (if you have already created the GPO).
' This code links a GPO to an OU in the specified domain ' ------ SCRIPT CONFIGURATION ------ strDomainDN = "<DomainDN>" ' e.g. dc=rallencorp,dc=com strGPO = "<GPOName>" ' e.g. WorkstationsGPO strOUDN = "<OrgUnitDN>" ' e.g. ou=Workstations,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- strBaseDN = "<LDAP://cn=policies,cn=system,dc=" & strDomainDN & ">;" strFilter = "(&(objectcategory=grouppolicycontainer)" & _ "(objectclass=grouppolicycontainer)" & _ "(displayname=" & strGPO & "));" strAttrs = "ADsPath;" strScope = "OneLevel" set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider" set objRS = objConn.Execute(strBaseDN & strFilter & strAttrs & strScope) if objRS.EOF <> TRUE then objRS.MoveFirst end if if objRS.RecordCount = 1 then strGPOADsPath = objRS.Fields(0).Value WScript.Echo "GPO Found: " & strGPOADsPath elseif objRS.RecordCount = 0 then WScript.Echo "Did not founding matching GPO for: " & strGPO Wscript.Quit elseif objRS.RecordCount > 1 then WScript.Echo "More than 1 GPO found matching: " & strGPO Wscript.Quit end if set objOU = GetObject("LDAP://" & strOUDN) on error resume next strGPLink = objOU.Get("gpLink") if Err.Number then if Err.Number <> -2147463155 then WScript.Echo "Fatal error while retrieving gpLink attribute: " & _ Err.Description Wscript.Quit end if end if on error goto 0 objOU.Put "gpLink", strGPLink & "[" & strGPOADsPath & ";0]" objOU.SetInfo WScript.Echo "GPO successfully linked"
The GPOs that are linked to an OU are stored in the gpLink attribute of the OU. The format of the gpLink attribute is kind of strange, so you have to be careful when programmatically or manually setting that attribute. Since multiple GPOs can be linked to an OU, the gpLink attribute has to store multiple values; unfortunately, it does not store them as you might expect in a multivalued attribute. Instead, the links are stored as part of the single-valued gpLink attribute. The ADsPath of each linked GPO is concatenated into a string, with each enclosed in square brackets. The ADsPath for each GPO is followed by ;0 to signify the link is enabled or ;1 to signify the link is disabled. Here is an example gpLink with two GPOs linked:
[LDAP://cn={6491389E-C302-418C-8D9D- BB24E65E7507},cn=policies,cn=system,DC=rallencorp,DC=com;0][LDAP://cn={6AC1786C-016F- 11D2-945F-00C04fB984F9},cn=policies,cn=system,DC=rallencorp,DC=com;0]
A much better VBScript solution for linking GPOs is described in Recipe 9.12, which uses the GPMC APIs.
Introduction in Chapter 9 for more information on GPMC, and MS KB 248392 (Scripting the Addition of Group Policy Links)